CVE-2021-25906

CVE-2021-25906: Panic safety issue in basic_dsp_matrix

The vulnerability exists in the basic_dsp_matrix crate (versions prior to 0.9.2) for Rust. The issue lies in the implementation of the TransformContent trait for fixed-size arrays [S; 2], [S; 3], and [S; 4] [1]. The transform and transform_res methods use unsafe code that reads elements using ptr::read without ensuring that a panic in the provided closure does not lead to a double drop [3]. Specifically, if the conversion closure panics after the first element is read but before mem::forget(self) is called, the original array is later forgotten, but the partially-constructed result may already contain a valid value, causing the same memory to be dropped twice [3][4].

The attack surface is remote and requires no authentication or user interaction; the vulnerability can be triggered purely by invoking the affected transform or transform_res methods with a closure that panics under certain conditions [4]. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-based, low-complexity attack [4]. An attacker could craft input that causes a panic during the transformation, leading to a double-free of heap-allocated or non-copy data stored in the array elements [3][4].

The impact is a double-drop, which results in undefined behavior, typically manifesting as a program crash (denial of service) and could potentially be leveraged for memory corruption in certain scenarios [1][4]. The RustSec advisory notes that availability impact is high, while confidentiality and integrity are not affected [4].

The issue has been patched in version 0.9.2 of the crate [1]. Users should upgrade to this version or later. However, as of the reference date, the crate's repository indicates it is no longer actively maintained [2], so users may need to consider alternative libraries or apply the fix manually if updates become unavailable.